One Step Ahead: An Insight Into Performing Rapid Incident Response

No ratings

Presented at Mircon 2013 by

Shanna Battaglia

Mike Scutt

In this presentation, we will demonstrate methods utilized by Mandiant MCIRT analysts to stay ahead of intruders through rapid live response. Starting with only a small piece of evidence, such as a suspicious network connection or a host intrusion prevention system alert, we will trace an intruder’s path through an environment from current activity to the initial point of entry, then search for signs of lateral movement to other systems. Once we have crafted a profile of attacker tools and tactics, we will utilize Indicators of Compromise to rapidly identify the breadth of attacker activity and provide remediation recommendations to prevent future compromises.